[network-manager-openvpn] core: add pkcs#8 key support and simplify key checking (rh #581992)

From: Dan Williams <dcbw src gnome org>
To: commits-list gnome org
Cc:
Subject: [network-manager-openvpn] core: add pkcs#8 key support and simplify key checking (rh #581992)
Date: Tue, 4 May 2010 06:11:52 +0000 (UTC)
commit 1e8399656538436ce7729964ff89064bd2a016d0
Author: Dan Williams <dcbw redhat com>
Date:   Mon May 3 22:33:02 2010 -0700

    core: add pkcs#8 key support and simplify key checking (rh #581992)

 auth-dialog/main.c        |    2 +-
 common/utils.c            |   19 ++++++++++---------
 common/utils.h            |    2 +-
 properties/auth-helpers.c |    8 +++++++-
 src/nm-openvpn-service.c  |    6 ++----
 5 files changed, 21 insertions(+), 16 deletions(-)
---
diff --git a/auth-dialog/main.c b/auth-dialog/main.c
index 45ed544..85a324b 100644
--- a/auth-dialog/main.c
+++ b/auth-dialog/main.c
@@ -256,7 +256,7 @@ get_password_types (PasswordsInfo *info)
 		key = g_strdup_printf ("%s/%s/%s", connection_path, NM_SETTING_VPN_SETTING_NAME,
 		                       NM_OPENVPN_KEY_KEY);
 		str = gconf_client_get_string (gconf_client, key, NULL);
-		info->need_certpass = (is_pkcs12 (str) || is_encrypted_pem (str));
+		info->need_certpass = is_encrypted (str);
 		g_free (str);
 		g_free (key);
 	} else if (!strcmp (connection_type, NM_OPENVPN_CONTYPE_STATIC_KEY)) {
diff --git a/common/utils.c b/common/utils.c
index 7574801..09cef38 100644
--- a/common/utils.c
+++ b/common/utils.c
@@ -50,16 +50,14 @@ is_pkcs12 (const char *filepath)
 }
 
 #define PROC_TYPE_TAG "Proc-Type: 4,ENCRYPTED"
+#define PKCS8_TAG "-----BEGIN ENCRYPTED PRIVATE KEY-----"
 
-/** Checks if a key is encrypted
- * The key file is read and it is checked if it contains a line reading
- * Proc-Type: 4,ENCRYPTED
- * This is defined in RFC 1421 (PEM)
+/** Checks if a file appears to be an encrypted private key.
  * @param filename the path to the file
  * @return returns true if the key is encrypted, false otherwise
  */
 gboolean
-is_encrypted_pem (const char *filename)
+is_encrypted (const char *filename)
 {
 	GIOChannel *pem_chan;
 	char *str = NULL;
@@ -68,15 +66,18 @@ is_encrypted_pem (const char *filename)
 	if (!filename || !strlen (filename))
 		return FALSE;
 
+	if (is_pkcs12 (filename))
+		return TRUE;
+
 	pem_chan = g_io_channel_new_file (filename, "r", NULL);
 	if (!pem_chan)
 		return FALSE;
 
-	while (g_io_channel_read_line (pem_chan, &str, NULL, NULL, NULL) != G_IO_STATUS_EOF) {
-		if (strncmp (str, PROC_TYPE_TAG, strlen (PROC_TYPE_TAG)) == 0) {
+	while (   g_io_channel_read_line (pem_chan, &str, NULL, NULL, NULL) != G_IO_STATUS_EOF
+	       && !encrypted) {
+		if (   !strncmp (str, PROC_TYPE_TAG, strlen (PROC_TYPE_TAG))
+		    || !strncmp (str, PKCS8_TAG, strlen (PKCS8_TAG)))
 			encrypted = TRUE;
-			break;
-		}
 		g_free (str);
 	}
 
diff --git a/common/utils.h b/common/utils.h
index 5e6033e..fcdda44 100644
--- a/common/utils.h
+++ b/common/utils.h
@@ -26,7 +26,7 @@
 
 gboolean is_pkcs12 (const char *filepath);
 
-gboolean is_encrypted_pem (const char *filename);
+gboolean is_encrypted (const char *filename);
 
 #endif  /* UTILS_H */
 
diff --git a/properties/auth-helpers.c b/properties/auth-helpers.c
index ba6b0fe..33db4dc 100644
--- a/properties/auth-helpers.c
+++ b/properties/auth-helpers.c
@@ -423,7 +423,7 @@ validate_tls (GladeXML *xml, const char *prefix, GError **error)
 
 	/* Encrypted certificates require a password */
 	str = gtk_file_chooser_get_filename (GTK_FILE_CHOOSER (widget));
-	encrypted = is_pkcs12 (str) || is_encrypted_pem (str);
+	encrypted = is_encrypted (str);
 	g_free (str);
 	if (encrypted) {
 		tmp = g_strdup_printf ("%s_private_key_password_entry", prefix);
@@ -693,6 +693,7 @@ find_tag (const char *tag, const char *buf, gsize len)
 
 static const char *pem_rsa_key_begin = "-----BEGIN RSA PRIVATE KEY-----";
 static const char *pem_dsa_key_begin = "-----BEGIN DSA PRIVATE KEY-----";
+static const char *pem_pkcs8_key_begin = "-----BEGIN ENCRYPTED PRIVATE KEY-----";
 static const char *pem_cert_begin = "-----BEGIN CERTIFICATE-----";
 
 static gboolean
@@ -754,6 +755,11 @@ tls_default_filter (const GtkFileFilterInfo *filter_info, gpointer data)
 		goto out;
 	}
 
+	if (find_tag (pem_pkcs8_key_begin, (const char *) contents, bytes_read)) {
+		show = TRUE;
+		goto out;
+	}
+
 out:
 	g_free (contents);
 	return show;
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index e1e21ba..3439c75 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -1110,8 +1110,7 @@ real_need_secrets (NMVPNPlugin *plugin,
 		/* Will require a password and maybe private key password */
 
 		key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEY);
-		if (   (is_pkcs12 (key) || is_encrypted_pem (key))
-		    && !nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS))
+		if (is_encrypted (key) && !nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS))
 			need_secrets = TRUE;
 
 		if (!nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD))
@@ -1125,8 +1124,7 @@ real_need_secrets (NMVPNPlugin *plugin,
 
 		/* May require private key password */
 		key = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_KEY);
-		if (   (is_pkcs12 (key) || is_encrypted_pem (key))
-		    && !nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS))
+		if (is_encrypted (key) && !nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS))
 			need_secrets = TRUE;
 	}
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]